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Abstract 

; 

We investigate several quantum public- key encryption (QPKE) protocols of 
classical message, and show that some of them are information-theoretically 
secure. We first present two QPKE schemes orienting one-bit message, then 
extend them to two kind of QPKE schemes orienting multi-bits. A new 
structure of these protocols ensures their information-theoretic security. All 
the schemes are designed with conjugate-coding single-photon string, thus 
may be realized in laboratory with nowadays techniques. 
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1. Introduction 

Public-key encryption was first proposed in 1976 [H, 0], which makes the 
two parties can do secret communication without presharing a secret key. 
However, the security of any public-key cryptography scheme is based on a 
mathematically difficult problem, whose difficulty has not been proved. For 
quantum computers, most of these problems are no more difficult (3)], then 
the related public-key protocols are not secure. 

Then we need to find new public-key schemes to resist the attacks of 
quantum adversaries. One solution is private-key protocols with the aid of 
quantum key distribution (QKD). Many schemes of QKD have been pro- 
posed Another solution is to construct quantum public-key 
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encryption (QPKE). Okamoto et al. [9] introduced a public-key encryption 



is 



scheme with a quantum algorithm in key generation phase. Gottesman 10 
the first to put forward a protocol named "quantum public key cryptography 
with information-theoretic security^. However, the security of this scheme 



has not been proved. Yang et al. [ll|, [12| investigated public-key encryption 



of quantum messages based on induced trap-door one-way transformation. 
Kawachi et al. gave a QPKE schemes of "computational indistinguishabil- 



ity" of two quantum states [13l . Il4j based on auto morp hism group of graphs 
problem. Nikolopoulos presented a QPKE scheme [15| based on single-qubit 
rotations, and further studied its security [l6j. Gao et al. also discussed the 



security of the scheme in [15[, and proposed a new idea for QPKE [11 

The ciphertext-indistinguishability under chosen plaintext attack (IND- 
CPA) [l8| can be understand as that while the adversary chooses two plain- 
texts and is then given one of the corresponding ciphertexts, the adversary 
cannot yet determine which plaintext corresponds to the previously unseen 
ciphertext he received. 

itrictly speaking, the concept information-theoretic IND-CPA is defined 



as [19(| : for every circuit family {C n }, every positive polynomial p(-), all 
sufficiently large n, and every x, y £ {0, 1}*, the probability Pr(-) satisfies: 

|Pr[C n (G(l") )J B G(1 „ ) (a;)) = 1] - Pr[C n (G(l n ),E aan) (y)) = 1]| < -L. (1) 
v ' v ' p(n) 

In the case of QPKE, the information-theoretic quantum IND-CPA is defined 
3: 



as 



Definition 1. A quantum public-key encryption scheme is information 
-theoretically ciphertext-indistinguishable under quantum CPA if for every 
quantum circuit family {C n }, every positive polynomial p(-) , all sufficiently 
large n, and every bit-string x,y £ {0, 1}*, the probability Pr(-) satisfies: 

\Pr[C n (G(l n ),E G{ln) (x)) = l]-Pi[C n (G(l n ),E G{1 n)(v)) = 1]| < 4^, (2) 

where the algorithm E is a quantum encryption algorithm, and the ciphertext 
E(x), E(y) are quantum states. 



It can be proven [2JJ that if the trace distance of any two different ci- 
phertexts is 0(^r), Eq. fl2]) is valid, thus the quantum public-key encryption 
scheme is information-theoretically secure. 

The term "bounded information-theoretically secure" means that the bit 
number of plaintext encrypted with information-theoretic security has an 
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upper bound. In [14j, this bound of the protocol is proven to be the bit 
number of private key 22j, thus it is much less than that of a practical one. 

Here we give several QPKE schemes of classical message. Some of them 
are shown to be information-theoretic secure. They are designed using a 
conjugate-coding single-photon string, thus may be realized in laboratory. 



2. Schemes encrypting one-bit message 

Let k = (ki, ■ ■ ■ , k n ) be a n-bit string, where ki, ■ ■ ■ , k n G {0, 1} . For the 



Hadamard transform H = 4= 

v2 



, we define H k = H kl <&- ■ -®H kn , where 



1 1 

1 -1 

H° is the unit operator /, and H 1 is H. Similarly for the Pauli operator Y 



-i 

1 



, we define Y k = Y k ^®- ■ -®Y k ™. Let Vt Q = {i e {0, l} n \W H (i) is even}; 

Oi = {i G {0, l} n |Wff(i) is odd}, here Wn{i) means the Hamming weight of 
i. 

2.1. First scheme 

2.1.1. One-way function of the scheme 

A trapdoor one-way function is necessary in public- key cryptology. A one- 
way function(OWF)based on classical computational complexity hypothesis 



18l | is a function / such that for each x in the domain of /, it is easy to 
compute f(x); but for essentially all y in the range of /, it is infeasible to 
find any x such that y = f{x) in expected polynomial time, i.e. 

Pr[A(f(U n ), 1") E r\f{U n ))] < JL (3) 



A trapdoor one-way function [18J is a one-way function / with the additional 
property that given some extra information (called the trapdoor informa- 
tion), it becomes feasible to find an x in the domain of /, for any given y in 
the range of /, such that f(x) = y. 

The one-way property of classical OWF is usually in the sense of com- 
putational security, i.e., it is based on a suppose of the adversary's power of 
computation. The quantum one-way transformation(OWT) we give is in the 
sense of information-theoretic security, because it is based on the property 
of quantum states: people with the correct basis can get the exact bits con- 
tained in the states, but without the information of basis, they can only get 
them with an negligible probability. 
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In the first scheme orienting one-bit message, the OWT is one mapping 
the classical message b to an unknown state 

Pb = Ej ie ...ej„=6^ [Ef H f(s) (Li 1 Q... &n = PiF\i)(i\) H F(s) ] Y r The trap- 
door information is the basis string k = F(s) on which the quantum states are 
encoded. The private key is a Boolean function F. Using s, the classical part 
of the public-key, the private-key owner can get the trapdoor information k 
by k = F(s). 

2.1.2. The scheme 

[Key Generation] During this phase, Bob can do as follows: 

(Gl) Select randomly a multi-output Boolean function F : {0, l} m — > {0, l} n 

as his private key; 
(G2) Select randomly s G {0, l} m , and computes k = F(s); 
(G3) Generate \i) with % e flo] 

(G4) Apply H k to and take the classical-quantum pair (s,H k \i)) as one 
of his public-keys. 

F can be generated efficiently Each output of the Boolean function F 
can be written as 

© <,-, d A---st, (4) 

where % = 1, • • • , n. There are 2 m terms to add up in each F 1 (s). After m 
times of coin tossing, we have determined one instance of d±, ■ ■ ■ , d m . We let 
the corresponding a l dl ... dm = 1, then one term is determined. If we toss the 
coin for m-0(m) times, 0(m) terms are determined. We then let other terms 
to be zero. Thus F can be efficiently generated by a polynomial algorithm. 
This algorithm produces many strings of m random bits, and the number of 
the strings is polynomial in m. 

Bob generates a large amount of public-keys with a private key F. In 
each of these public-keys, s is different. The classical string s is bounded to 
the quantum state Hk\i) as a label. 

[Encryption] If Alice wants to send one bit message b to Bob, she should 
get one of Bob's public keys, and then: 

(El) Select j randomly from f^; 

(E2) Alice applies Yj to H k \i), and then sends (s,YjH k \i)) to Bob. 
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The ciphertext state for the adversary is 




PijF\i)(i\ ) H F{s) 
-e«n=o / 




(5) 



and the quantum part of the ciphertext for a selected j is 



Y 



J2 H m\ PiF\i)(i\) H F(s) 



(6) 



[Decryption] After receiving the ciphertext, Bob should: 
(Dl) Calculate k = F(s); 

(D2) Apply H k to YjH k \i), and measure it in the basis {|0), |l)} n . 

Finally, Bob gets the one-bit message from the parity of bit string he 
received. The state after applying H k to YjH k \i) is 



H k YjH k \i} = (-l) k - j Yj\i) = (-l) Hl(Bk)+ ^ WH ^\i@j). 



(7) 



Thus, after measuring it, Bob gets \i(Bj), here © is bit-wise addition modulo 
2. The parity of W H (j) is equal to the parity of W H (i © j), because W H (i) 
is even. Then the message (plaintext) is obtained. 

2.1.3. Security analysis 

The adversary has two ways to attack the QPKE scheme. One is to 
attack plaintext via distinguishing the two ciphertexts; another is to attack 
the private key F via getting information of k. 

For the first way of attack, we now prove that the trace distance between 
the two different ciphertexts and 1 is O(^). The quantum part of public 
key H k \i) is a state consisting of n qubits from the set {|0), |1), |+), |— )}, and 
the total number of |1) and |— ) is even. After encrypted by Alice, the state 
is also n qubits from the set (|0), |1), |+), |— )}. 

If the message is 0, the number of 1 in j is even, then the number of qubits 
operated by Y is even. If the number of Y on |1) and |— ) is odd, then the 
number of Y on |0) and |+) (which producing |1) and |— )) is odd. Remember 
that the |1) and |— ) which are unchanged is odd, then after encrypted by 
Alice, the total number of |1) and |— ) will be even. Given s which is randomly 
selected, because of the way F is generated, the randomness of k can be 



5 



ensured. The analysis when the message is 1 is similar. Then we can write 
the states of ciphertext when the message is b to be: 



Pb 



2 2 



(8) 



where |^) = H^X^O). 

Now we calculate the trace distance between p Q and p\ using the method 



in 



23| . Define two trace-preserving quantum operations E\ and £2, for any 
n-bit quantum state p 

g^p) = Uf n pUf n \ (9) 



and 



Here U* 



by an angle of 71/ 2: 



fce{o,i} n 

which rotates each qubit of p around y axis 



1 -1 
1 1 



Define 



)n-l 



where \<j>j) = Hi\0). 
We can see 



U*\0) |+), 

C/ f |+) |1), 
17-|-) |0). 

E I^l)(^ll"--I^n)(0jnl 

iiffi-ein=o 



£ 2 £i(co) 
£ 2 (?7fVo?7f nt ) 

4 4 



Because 



i?%|0) 



1+) (< = o) 

|0) (i = l) 



(11) 



(12) 



(13) 
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H i UiL\+) 



|1) (. = 0) 

I-) (<=1) 



then 



£2 £1(0-0) 

Yl \^hh)(^hjl\---\^inju)(^i n 



That means 



£2 £1(0-0) = Po- 

And similarly we define 

ai = 2^1 l^-i) (^1 1 ■ ■ ■ l^JiKl- 

JX©-ffiin=l 

We can get 

£2 £1(01) = pi- 

As trace-preserving quantum operations are contractive 24|, we get 

D(p ,p 1 ) < D(«7 ,<7i). 

D(<7o, o"i) is easy to compute. By Mathematical induction, we have 



(14) 

(15) 

(16) 

(17) 
(18) 



(Jo - 01 



2^r(|o><o|-|+>(+|) 


1 


" 1 1 " 


(gin 


2 n-l 


2 2 

1 1 

2 2 . 





(19) 



Then 



£>(0o,0i) 



tr 00 — 0i 



2™ 



-tr 





■ 1 


1 ~ 


(gin 




2 

1 


2 
1 






2 


2 . 





here \A\ is the singular value matrix of matrix A, \A\ = V A^A. By spectral 
decomposition, we have the following conclusion for normal matrices A\ and 
A 2 : 



trlAi <g> A 2 | = tr|Ai| ■ tr|A 2 



(20) 
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we then have 



Finally 



D(a ,<Ti) = ^Itr , _i 

= (— ) n 
v 2 ; 



D(p ,p 1 ) < D(a ,(Ti) = ( 



(21) 



(22) 



If we amend the protocol a little, the security against first attack when 
this scheme is used to encrypt multi-bits can be proved, and the security 
against the second kind of attack can also be proved easily. That is the 
second scheme to be stated below. 



2.2. Second scheme 

The OWT of this scheme is to map the classical message h to an unknown 

state p b = J2 jl ®- (Bjn =b Y j [J2f H f(s) (J2iPiF\i)(i\)H F{s) ] Yj. 

2.2.1. The scheme 

[Key generation] During key generation phase, Bob generates his private 
and public keys, he can do as follows: 

(Gl) Generate randomly a multi-output Boolean function F : {0, l} m — > 

{0, l} n+1 as his private key; 
(G2) Select randomly \i) e {0,1}™. Then select s G {0, l} m randomly, and 

compute (k,p) = F(s). If p ^ i\ • • • © i n , Bob selects s again until 

p = i\ © • • • © i n ; 
(G3) Apply Hk to \i), and take (s, Hk\i)) as one of his public-key. 

F can be generated efficiently by the local coin tossing algorithm in 12.11 
In addition, because F n+1 (s) — %\ © • • • © i n , to ensure the randomness of i, 
F n+1 (s) should be a balanced Boolean function. 

[Encryption] If Alice wants to send one bit message b to Bob, she should 
get one of Bob's public keys, and then: 

(El) Select j randomly from Qb, 

(E2) Alice applies Yj to H k \i), and then sends (s, YjH k \i)) to Bob. 
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[Decryption] After Bob receives (s,YjH k \i)) sent by Alice, he should: 
(Dl) Calculate (k, k © • • • © i«) = F(s); 

(D2) Apply if^ to YjH k \i), and measures it in the basis {|0), |l)} n . 

Finally, Bob will get the message from the parity of the measuring result's 
weight. The state after applying H k to YjH k \i) is (-l)Hi®k)+w H (j)/2\i © j). 
Thus, after measuring H k YjH k \i), Bob gets \i © j). If p(i) = 0, the parity of 
Wh(j) is equal to the parity of Wn(i © j)', if p(«) = 1, the parity of WffO') is 
opposite to the parity of VF/r(i © j). Then the message (0 or 1) is obtained 
from the parity of Wu{j)- 

2.2.2. Security analysis 

The adversary has also two ways to attack the quantum public-key en- 
cryption scheme. One is to attack the private key F via getting information 
of k; another is to attack plaintext via distinguishing two ciphertexts. 

For the first way, for different k, H k \i) is indistinguishable. The H k \i) for k 
and k' (k ^ k') are Pk = ££ ie{0il} „ H k \i){i\H\ and Pv = ± Ei e{0 ,i}" H k ,\i}{i\H\,, 
respectively. We can get 



Pk 



;H k Hl 



IjT 



(23) 



Similarly, we get p k i = I/2 n , then D(p k ,p k /) = 0. Since D(S(p k ),£(p k i)) < 
D(pk, Pfc')|24j], we have D(p k ,p k /) = 0. It means for two states with trace 
distance 0, no physical method can enlarge the trace distance between them, 
and no quantum algorithm can distinguish the two quantum states. Then 
the two states are indistinguishable. 

For the second way, the adversary cannot get any information of the 
plaintext from the ciphertext. The ciphertexts for a given j is 



Pi = Y i 



J2 H Hs) (y2PiF\i)(i\J H F(s) 



Y. 



(24) 



Because i is selected randomly, and F is independent of i, we have p iF 
p VF (i ^ then 



Pi = Y i 



^ Hf( s )PifH j 



F(s) 



Yj = Yi {^Pi^j Yj = (j2PiF^j I = I IT. 

(25) 
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Then for any j and f (j ^ j'), D(pj,pj>) = 0, then D(p , pi) = 0, here 

p b = E Y s 

Thus D{£{p ),£{ Pl )) < D{ Pk , p k ,) = 0. 

Denote Pj(s) = Yj E f i?j7( s ) (52iPiF\i){i\) Hf(s)] Yj, when this scheme is 
used to encrypt t bits, the ciphertext for the bit-string can be written as 

p i (i)(a (1) )®---®p i (*)(a (t) ) = //2 nt (27) 

Then D( Pj ndsM) ® • • • ® p 3 -«(s (t) ), P^D' (s (1) ') <8> • • • ® = 0. Ac- 

cording to [2l|, this scheme is information-theoretic secure. 

£.5. Discussion on quantum OWT 

To do the OWT from message b to state £ m (p^ l \F(s),i)), one usually 
does unitary operation depending on b on the public key pg n) (F(s), i), then 
discard the extra outputs and get £ m (p^ l l \F(s), i)). One cannot obtain the 
original state without the extra outputs. If one has done many operations 
on Pq(F(s), i), he cannot get the original state even with the extra outputs, 
because he does not know the corresponding state of extra outputs for the 
certain operation. 

Consider the unitary transformation Uf(\x)\y)) = \x)\y® f(x)). \x) is the 
input qubit, and \y) is auxiliary qubit. For the initial state '^2 x .Oi Xi \x i )\0), 
the output is 

X{ Xi 

People with trapdoor information \xi) can do the following operation 

U f -i\x l )\f(x t )) = \0)\f(x l )). (29) 
For people without trapdoor information \xi), he can only do as 

Uf(\x i )\f(x j ))) = \x i )\f(x j )®f(x i )). (30) 

If d H (f(xi),f(xj)) = 0, \f{xj) © f{xi)) = |0), then the input for f(xj) is 
obtained. Consider the probability when dji(f(xi),f(xj)) = is valid. For 
a given f(xj), the probability is (|) n - Then according to Eq. (j3J), it is a 
one-way transformation. 



E 



H 



F(s) 



^2PiF\i){i\ 



H 



F(s) 



Y. 



(26) 
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3. Extend to multi-bit-oriented schemes 

The scheme in Sec. |5] is one-bit-oriented. We now extend it to multi-bit- 
oriented schemes. In the following scheme of multi-bit message, the OWT is 
to map the classical message j to an unknown state pj = Yj [J2f Hf(s) (Si PifV) Hf(s)] Yj. 
The trapdoor information is the basis k = F(s) on which the quantum states 
are encoded. The private key is a Boolean function F. Using a part of the 
public- key s, the owner of private- key can get the trapdoor information k by 
k = F(s). 

3.1. The first scheme 

[Key generation] During this phase, Bob can do as follows: 

(Gl) Select randomly a multi-output Boolean function F : {0, l} m — > {0, l} n 
as his private key; 

(G2) Select randomly si, S2 G {0, l} m , and compute k = F(sx), i = F(s 2 ); 
(G3) Apply Hk to \i), and take (si, s 2 , Hk\i)) as his public key. 

[Encryption] If Alice wants to send n-bit message j to Bob, she should get 
one of Bob's public keys, and then: 

(El) Apply Yj to Hk\i), and then sends (s±, S2, YjHk\i)) to Bob. 

[Decryption] After Bob receives ® iV'sa) ® YjHkli) sen t by Alice, he 
should: 

(Dl) Calculate k = F( Sl ), i = F(s 2 ); 

(D2) Apply Hk to YjH~k\i), and measure on the basis (|0), |l)} n . 

3.2. The second scheme 
[Key generation] 

(Gl) Select randomly two multi-output Boolean function Fi : {0, l} n — > 

{0, l} n , F 2 : {0, l} n {0, 1}™ as his private key; 
(G2) Select randomly s G {0, l} m , and compute k = Fi(s), i = F 2 (s); 
(G3) Apply Hk to \i), and and take (s,Hk\i)) as his one public-key. 

[Encryption] If Alice wants to send n-bit message j to Bob, she should get 
one of Bob's public keys, and then: 

(El) Apply Yj to Hk\i), and then sends (s,YjHk\i)) to Bob. 

[Decryption] After Bob receives (s,YjHk\i)) sent by Alice, he should: 
(Dl) Calculate k = F^s), i = F 2 (s); 

(D2) Apply Hk to YjH^\i), and measure on the basis {|0), |l)} n . 
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3.3. Analysis of both schemes 

In the two multi-bit-oriented schemes described above, Bob can get the 
message via measuring the result. The state after applying H k to YjH k \i) is 
(_l)Hi®fc)+w H tt)/2|i ® j) ; thus, after measuring H k YjH k \i), Bob gets 
Because Bob can get the exact value of i, he can get the message j finally. 

The adversary has also two ways to attack these two schemes. One is 
to attack the private key via getting information of k; another is to at- 
tack plaintext via distinguishing the two ciphertexts. For the first method, 
similar to the analysis in Sec. \2.2.2\ H k \i) for k and k' (k ^ k') are p k = 

h J2ie{o,i} n H h\i){i\ H l and Pk' = h Sie{o,i}" H k'\i)(i\H k/ , respectively. We 
can get p k = p k > = I/2 n , then D(S(p k ),£(p k t)) < D(p k ,p k >) = 0. Thus no 
quantum algorithm can distinguish the two quantum states p k and p k i, the 
two states are indistinguishable. 

For the second way, we can prove that the adversary cannot get any 
information of the plaintext from the ciphertext. Let the message be j, the 
ciphertext is 



Pj 



F(s) 



Yj = I/2 n . 



(31) 



Then for any j and f(j ^ j'), D(p j> p jt ) = 0. Thus D(£(p j ),£(p j ,)) < 
D(pj,pji) = 0. No quantum algorithm can distinguish the two ciphertext. 



According to [2l|], this scheme is information-theoretic secure. 



4. Enhanced schemes 

The schemes given above generally requires that the public-keys are differ- 
ent from one another, then the same public-key is not reused. If the amount of 
public-keys needed is exponentially large, and the same public-key is reused, 
the four schemes can be restated as follows. 

4-1. Schemes encrypting one-bit message 
4-1.1. First scheme 

[Key Generation] During this phase, Bob can do as follows: 

(Gl) Select randomly a multi-output Boolean function F : {0, l} m — > {0, l} n , 
then select randomly I G {0, l} m . Take (F, I) as his private key; 
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(G2) Select randomly s G {0, l} m , and computes k = F(s), then calculate 

\*l>,) = \si)h ® \s 2 }i 2 ® • • • ® |s m ) im ; 

(G3) Generate |i) with i G fio; 

(G4) Apply if*, to and takes |^ s ) <g> H k \i) as one of his public-keys. 

[Encryption] If Alice wants to send one bit message b to Bob, she should 
get one of Bob's public keys, and then: 

(El) Select j randomly from f^; 

(E2) Alice applies I <S> Yj to \ip s ) <g> Hk\i), and then sends |^ s ) ® YjHk\i) to 
Bob. 

[Decryption] After receiving the ciphertext, Bob should: 

(Dl) Calculate from \ip s ) and / to get s; 
(D2) Calculate k = F(s); 

(D3) Apply H k to YjH k \i), and measures it in the basis {|0), |l)} n . 
4-1-2. Second scheme 

[Key generation] During key generation phase, Bob generates his private 
and public keys, he can do as follows: 

(Gl) Generate a multi-output Boolean function F : {0, l} m ->• {0, l} n+1 
randomly, then select randomly I G {0, l} m . Take (F,l) as his private 
key; 

(G2) Select randomly \i) G {0, l} n . Then select s G {0, l} m randomly, and 
compute (k,p) = F(s). If p ^ i± © • • • © i n , Bob selects s again until 
p = ii © • • • © i n ] 

(G3) Calculate |^ s ) = \s 1 ) h ® |s 2 ); 2 ® • • • <g) |s m ); m ; 

(G4) Apply H k to and take \tp s ) <8> as his one public-key. 

[Encryption] If Alice wants to send one bit message b to Bob, she should 
get one of Bob's public keys, and then: 

(El) Select j randomly from f2f,; 

(E2) Alice applies / <S> Yj to \ip s ) <g> H k \i), and then sends \ip s ) <8> YjH k \i) to 
Bob. 

[Decryption] After Bob receives \ip s ) ® YjH k \i) sent by Alice, he should: 

(Dl) Calculate from |^ s ) and I to get s; 
(D2) Calculate (k, h © • • • © i n ) = F(s); 

(D3) Apply iJfe to YjH k \i), and measures it in the basis {|0), |l)} n . 
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4-2. Schemes encrypting multi-bit 
4-2.1. First scheme 

[Key generation] During this phase, Bob can do as follows: 

(Gl) Select randomly a multi-output Boolean function F : {0, l} m — > {0, l} n , 
then select randomly / G {0, l} m . Take (F, I) as his private key; 

(G2) Select randomly Si,s 2 G {0, l} m , and compute k = F(si), i = F(s 2 ). 
Then calculate |^ S1 ) = \sii) h <g> \s 12 )i 2 ® • • • <8> |si m ) Jm , |^ S2 ) = |s 2 i)*i ® 

(G3) Apply to and take |^ S1 ) ® |^ a2 ) ® i?fc|i) as his public key. 

[Encryption] If Alice wants to send n-bit message j to Bob, she should get 
one of Bob's public keys, and then: 

(El) Apply I®I®Yj to |*0 S1 ) <g> \ip S2 ) ®H k \i), and then sends \ijj si )<g> \ip S2 ) ® 
YjH k \i) to Bob. 

[Decryption] After Bob receives \ip 81 ) ® \fp 82 ) ® y}i/fc|i) sent by Alice, he 
should: 

(Dl) Calculate from |*0 Sl ) ® |*0 S2 ) and / to get si and s 2 ; 
(D2) Calculate fc = F(s 1 ), i = F{s 2 ); 

(D3) Apply H k to y}if fc |i), and measure on the basis {|0), |l)} n . 

4-2.2. Second scheme 
[Key generation] 

(Gl) Select randomly two multi-output Boolean function Fi : {0, l} n — > 
{0, l} n , F 2 : {0, 1}" ->■ {0, l} n , then select randomly Z G {0, l} m . Take 
(F l5 F 2 , /) as his private key; 

(G2) Select randomly s G {0, l} m , and compute k = F 1 (s), i = F 2 (s). Then 
calculate \ip s ) = \s 1 ) h ® |s 2 )i 2 <E> • • • <S> \s m )i m ; 

(G3) Apply iffc to and and take \if) s ) ® i?fc|i) as his one public-key. 

[Encryption] If Alice wants to send n-bit message j to Bob, she should get 
one of Bob's public keys, and then: 

(El) Apply I <g> Yj to \ip s ) ® H k \i), and then sends \ip s ) <S> YjH k \i) to Bob. 
[Decryption] After Bob receives \ip s ) <S> YjH k \i) sent by Alice, he should: 
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(Dl) Calculate from \ip s ) and I to get s; 
(D2) Calculate k = F 1 {s),i = F 2 {s); 

(D3) Apply H k to YjH k \i), and measure on the basis {|0), |l)} n . 

Remark: it can be seen that, if we use (s, H k \i)) as public key, for example, 
in the first multi-bit-oriented scheme, for the same (si,^); k and i are also 
the same, then there may exist many copies of the same (si, s 2 , Hk\i)), the 
adversary may obtain information of F with these copies. While we use 
® IVO ® Hk\i) as the public key, the adversary cannot get s\ and s 2 
directly, then he cannot get information of F even as (si,S2) are reused. 



5. Discussions 

Every classical public- key scheme, such as RSA [l| , is insecure under man- 
in-the-middle (MIM) attack. If the adversary can intercept Bob's public key 
distribution channel, she can replace Bob's public-key (n, e) with her own 
public key (n',e'), and send it to Alice. While Alice encrypts her message 
with (n', e') and sends the ciphertext back to Bob, the adversary may decrypt 
the ciphertext to get the message. Finally the adversary encrypts the message 
with (n, e), and sends this ciphertext to Bob. We can see that nobody will 
be aware of the exist of the adversary. It is clear that for the design of a 
public-key encryption scheme, it is necessary to provide that Alice can obtain 
the public-key of Bob securely. Actually, this precondition is necessary for all 
classical and quautum public-key encryption protocols. To resist the MIM 
attack is the task of, such as public-key infrastructure (PKI). 



A common feature of the scheme in 13 and our bit-oriented scheme is 



an n-qubit public key is needed to encrypt a one-bit message. The differ- 



ence is, in the scheme of [13], for different messages, the public keys are the 
same; however, in our schemes, the public keys are different for every time 
of encryption, as a result of choosing different s and \i) at each time of key 
generation. The security of our schemes is highly improved, while we can 
see that the resources needed to store the quantum public keys are kept the 
same. 



6. Conclusion 

We propose several QPKE schemes of classical messages, and prove that 
some of them are information-theoretic secure. From a practical point of 
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view, these schemes based on single-photon string may be realized in near 
future. 

Acknowledgement 

This work was supported by the National Natural Science Foundation of 
China under Grant No. 61173157. 

References 

[1] R. L. Rivest, A. Shamir, and L. A. Adleman, "A method for obtaining 
digital signatures and public-key cryptosystems" , Commun. ACM 21, 
pp. 120-126, 1978. 

[2] T. ElGamal, "A public key cryptosystem and a signature scheme based 
on discrete logarithms", IEEE Trans. Inf. Theory 31, pp. 469-471, 1985. 

[3] P. W. Shor, "Algorithms for quantum computation: discrete logarithms 
and factoring", in Proceedings of the 35th Annual Symposium on the 
Foundations of Computer Science, S. Goldwasser, ed., pp. 124-134, 
1994. 

[4] C. H. Bennett and G. Brassard," Quantum cryptography: Public-key 
distribution and coin tossing" , in Proceedings of the IEEE International 
Conference on Computers, Systems and Signal Processing, Bangalore, 
India (IEEE, New York), 1984. 

[5] G. L. Long and X. S. Liu, " Theoretically efficient high-capacity 
quantum-key-distribution scheme", Phys. Rev. A, 65, p. 032302, 2002. 

[6] W. Chen, Z. F. Han, X. F. Mo, F. X. Xu, G. Wei and G. C. Guo, "Active 
phase compensation of quantum key distribution system" , Chinese Sci- 
ence Bulletin^, pp. 1310-1314, 2008. 

[7] H. Lu and Q. Y. Cai, "Quantum key distribution with classical Al- 
ice", International Journal of Quantum Information^, pp. 1195-1202, 
2008. 

[8] G. Q. He, H. B. Guo, Y. D. Li, S. W. Zhu and G. H. Zeng, "Quantum 
key distribution using binary-modulated coherent states", Acta Physica 
Simca,57, p.2217, 2008. 



16 



[9] T. Okamoto, K. Tanaka, and S. Uchiyama, "Quantum Public-key Cryp- 
tosystemns" , in Advances in Cryptology: Crypto 2000 Proceedings, 
LNCS, M. Bellare, ed., 1880, pp. 147-165, 2000. 

[10] D. Gottesman, "Quantum Public Key Cryptog- 

raphy with Information-Theoretic Security", See: 
http:/ /www.perimeterinstitute.ca/personal/dgottesman/Public-key.ppt 
2005. 

[11] L. Yang, "Quantum public-key cryptosystem based on classical NP- 
Complete problem", e-print arXiv: |quant-ph / 0310076 , 2003. 

[12] L. Yang, M. Liang, B. Li, L. Hu, and D. G. Feng, "Quantum public-key 
cryptosystems based on induced trapdoor one-way transformations" , e- 
print arXiv: quant-ph/1012.5249, 2010. 

[13] A. Kawachi, T. Koshiba, H. Nishimura, and T. Yamakami, "Compu- 
tational Indistinguishability between Quantum States and Its Crypto- 
graphic Application", in Advances in Cryptology: Eurocrypt 2005 Pro- 
ceedings, LNCS, R. Cramer, ed., 3494, pp. 268-284, 2005. 

[14] A. Kawachi, T. Koshiba, H. Nishimura, and T. Yamakami, "Compu- 
tational Indistinguishability between Quantum States and Its Crypto- 
graphic Application", e-print arXiv: quant-ph/0403069, 2004. 

[15] G. M. Nikolopoulos, "Applications of Single-qubit Rotations in Quan- 
tum Public-key Cryptography", Phys. Rev. A. 77, p. 032348, 2008. 

[16] G. M. Nikolopoulos, "Deterministic quantum-public-key encryption: 
Forward search attack and randomization", Phys. Rev. A. 79, p. 042327, 
2009. 

[17] F. Gao, Q. Y. Wen, S. J. Qin and F. C. Zhu, "Quantum asymmetric 
cryptography with symmetric keys" , Science in China Series G: Physics 
Mechanics and Astronomy,52 pp. 1925-1931, 2009. 

[18] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of 
Applied Cryptography, CRC Press, Boca Raton, 1997. 

[19] O.Goldreich, Foundations of Cryptography: Basic Applications, Pub- 
lishing House of Electronics Industry, Beijing, 2004. 



17 



[20] J. Y. Pan, and L. Yang, "Quantum Public-key Encryption with Infor- 
mation Theoretic Security", e-print arXiv: quant-ph/1006.0354, 2010. 

[21] L. Yang, C. Xiang, and B. Li, "Quantum probabilistic encryption pro- 
tocol based on cojugate coding", e-print arXiv: quant-ph/1204.6664, 
2012. 

[22] M. Hayashi, A. Kawachi, and H. Cobayashi, "Quantum Measurements 
for Hidden Subgroup Problems with Optimal Sample Complexity", 
Quantum Inf. Comput. 8, pp. 0345-0358, 2008. 

[23] L. Yang, C. Xiang, and B. Li, "Qubit-string-based bit commitment pro- 
tocols with physical security", e-print arXiv: quant-ph/1011.5099, 2010. 

[24] M. A. Nielsen and I. L. Chuang, Quantum Computation and Quantum 
Information (Cambridge University Press, Cambridge, England), 2000. 



18 



